--- 9.10.4rc1 released ---
+4436. [bug] Fixed a regression introduced in change #4337 which
+ caused signed domains with revoked KSKs to fail
+ validation. [RT #42147]
+
4345. [contrib] perftcpdns mishandled the return values from
clock_nanosleep. [RT #42131]
rm -f ns3/ttlpatch.example.db ns3/ttlpatch.example.db.signed
rm -f ns3/ttlpatch.example.db.patched
rm -f ns3/unsecure.example.db ns3/bogus.example.db ns3/keyless.example.db
+rm -f ns3/revkey.example.db
rm -f ns3/managed-future.example.db
rm -f ns4/managed-keys.bind*
rm -f ns4/named.conf
managed-future NS ns.managed-future
ns.managed-future A 10.53.0.3
+
+revkey NS ns.revkey
+ns.revkey A 10.53.0.3
dynamic keyless nsec3 optout nsec3-unknown optout-unknown \
multiple rsasha256 rsasha512 kskonly update-nsec3 auto-nsec \
auto-nsec3 secure.below-cname ttlpatch split-dnssec split-smart \
- expired expiring upper lower managed-future
+ expired expiring upper lower managed-future revkey
do
cp ../ns3/dsset-$subdomain.example. .
done
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
-; $Id: keyless.example.db.in,v 1.5 2007/06/19 23:47:02 tbox Exp $
-
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
allow-update { any; };
};
+zone "revkey.example" {
+ type master;
+ file "revkey.example.db.signed";
+};
+
include "siginterval.conf";
include "trusted.conf";
$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
zone=keyless.example.
-infile=keyless.example.db.in
+infile=generic.example.db.in
zonefile=keyless.example.db
keyname=`$KEYGEN -q -r $RANDFILE -a RSAMD5 -b 768 -n zone $zone`
zskname=`$KEYGEN -q -r $RANDFILE $zone`
cat $infile $kskname.key $zskname.key >$zonefile
$SIGNER -P -s +3600 -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+
+#
+# A zone with a revoked key
+#
+zone=revkey.example.
+infile=generic.example.db.in
+zonefile=revkey.example.db
+
+ksk1=`$KEYGEN -q -r $RANDFILE -3fk $zone`
+ksk1=`$REVOKE $ksk1`
+ksk2=`$KEYGEN -q -r $RANDFILE -3fk $zone`
+zsk1=`$KEYGEN -q -r $RANDFILE -3 $zone`
+
+cat $infile ${ksk1}.key ${ksk2}.key ${zsk1}.key >$zonefile
+
+$SIGNER -P -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
status=`expr $status + $ret`
fi
+echo "I:checking that validation succeeds when a revoked key is encountered ($n)"
+ret=0
+$DIG $DIGOPTS revkey.example soa @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags: .* ad" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+if [ -x ${DELV} ] ; then
+ ret=0
+ echo "I:checking that validation succeeds when a revoked key is encountered using dns_client ($n)"
+ $DELV $DELVOPTS +cd @10.53.0.4 soa revkey.example > delv.out$n 2>&1 || ret=1
+ grep "fully validated" delv.out$n > /dev/null || ret=1
+ n=`expr $n + 1`
+ if [ $ret != 0 ]; then echo "I:failed"; fi
+ status=`expr $status + $ret`
+fi
+
echo "I:Checking that a bad CNAME signature is caught after a +CD query ($n)"
ret=0
#prime
isc_buffer_init(&buffer, data, sizeof(data));
dns_rdata_fromstruct(&rdata, dnskey->common.rdclass,
dns_rdatatype_dnskey, dnskey, &buffer);
+
result = dns_dnssec_keyfromrdata(keyname, &rdata, mctx, &key);
if (result != ISC_R_SUCCESS)
return;
+
result = dns_view_getsecroots(view, &sr);
if (result == ISC_R_SUCCESS) {
- dns_keytable_deletekeynode(sr, key);
- dns_keytable_marksecure(sr, keyname);
+ result = dns_keytable_deletekeynode(sr, key);
+
+ /*
+ * If key was found in secroots, then it was a
+ * configured trust anchor, and we want to fail
+ * secure. If there are no other configured keys,
+ * then leave a null key so that we can't validate
+ * anymore.
+ */
+
+ if (result == ISC_R_SUCCESS)
+ dns_keytable_marksecure(sr, keyname);
+
dns_keytable_detach(&sr);
}
+
dst_key_free(&key);
}
projects / thirdparty / bind9.git / commitdiff
